summary: Test for permissions of files related to audit
description: |+
    Attributes:

     * owner
     * group
     * permissions
     * selinux context

    Objects:

     * Directories:
     
       * /etc/audit/
       * /etc/audit/rules.d/
       * /var/log/audit/

     * Files:

       * /etc/audit/auditd.conf
       * /etc/audit/audit.rules
       * /var/log/audit/audit.log
       * /var/log/audit/audit.log.* (rotated logs)

    Expected Values: 

    In general we expect root for both user and group ownership for all objects.
    The only exception is when log_group is set non-root in audit.conf, then 
    /var/log/audit and all audit.log files should be owned by that particular
    group. Log files in /var/log/audit are writable by root only, rotated logs 
    are not writable. Detailed expected values can be found in tables below:

    User       : root
    Group      : root
    Context    : system_u:object_r:auditd_etc_t:s0
    Permissions:
     - /etc/audit/                0750
     - /etc/audit/rules.d/        0750
     - /etc/audit/auditd.conf     0640
     - /etc/audit/audit.rules     0640


    User       : root
    Group      : root/log_group
    Context    : system_u:object_r:auditd_log_t:s0
    Permissions:
     - /var/log/audit/            0700/0750
     - /var/log/audit/audit.log   0600/0640
     - /var/log/audit/audit.log.* 0400/0440


contact: Ondrej Moris <omoris@redhat.com>
component:
  - audit
test: ./runtest.sh
recommend:
  - audit
duration: 5m
enabled: true
tag:
  - CI-Tier-1
  - NoRHEL4
  - Tier1
  - Tier1security
tier: '1'
link:
  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1362582
adjust:
  - enabled: false
    when: distro < rhel-7
    continue: false
extra-nitrate: TC#0533240
extra-summary: /CoreOS/audit/Sanity/permissions
extra-task: /CoreOS/audit/Sanity/permissions